Reverse Proxy в Nginx

Настройка Nginx как обратного прокси для приложений Node.js, Python, Docker контейнеров и других бэкендов.

Базовая конфигурация Reverse Proxy

Проксирование Node.js приложения

# /etc/nginx/conf.d/app.example.com.conf

upstream nodejs_backend {
    server 127.0.0.1:3000;
    server 127.0.0.1:3001 backup;

    keepalive 32;
    keepalive_requests 1000;
    keepalive_timeout 60s;
}

server {
    listen 443 ssl http2;
    server_name app.example.com;

    # SSL конфигурация
    ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;

    # Логи
    access_log /var/log/nginx/app.example.com.access.log main;
    error_log /var/log/nginx/app.example.com.error.log;

    # Увеличиваем таймауты для API
    proxy_connect_timeout 60s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;

    # Буферизация
    proxy_buffering on;
    proxy_buffer_size 128k;
    proxy_buffers 256 16k;
    proxy_busy_buffers_size 256k;
    proxy_temp_file_write_size 256k;

    location / {
        proxy_pass http://nodejs_backend;
        proxy_http_version 1.1;

        # Заголовки для корректной работы приложения
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;

        # Для WebSocket
        proxy_cache_bypass $http_upgrade;
    }

    # Статические файлы напрямую
    location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        try_files $uri @nodejs;
    }

    # Fallback на Node.js
    location @nodejs {
        proxy_pass http://nodejs_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
}

Проксирование Docker контейнеров

# Множественные контейнеры за одним доменом

upstream app_frontend {
    server 127.0.0.1:3000;
}

upstream app_api {
    server 127.0.0.1:3001;
    server 127.0.0.1:3002;

    # Health check (nginx-plus)
    # health_check;
}

upstream app_admin {
    server 127.0.0.1:3003;
}

server {
    listen 443 ssl http2;
    server_name myapp.example.com;

    ssl_certificate /etc/letsencrypt/live/myapp.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapp.example.com/privkey.pem;

    # Фронтенд приложение
    location / {
        proxy_pass http://app_frontend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }

    # API эндпоинты
    location /api/ {
        proxy_pass http://app_api/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # CORS заголовки
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";

        # Обработка OPTIONS запросов
        if ($request_method = 'OPTIONS') {
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
            add_header Access-Control-Max-Age 1728000;
            add_header Content-Type 'text/plain; charset=utf-8';
            add_header Content-Length 0;
            return 204;
        }
    }

    # Админ панель с базовой аутентификацией
    location /admin/ {
        auth_basic "Admin Area";
        auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_pass http://app_admin/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Load Balancing

Различные методы балансировки

# Round-robin (по умолчанию)
upstream backend_roundrobin {
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;
}

# Least connections
upstream backend_least_conn {
    least_conn;
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;
}

# IP hash (sticky sessions)
upstream backend_ip_hash {
    ip_hash;
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;
}

# Weighted round-robin
upstream backend_weighted {
    server backend1.example.com weight=3;
    server backend2.example.com weight=2;
    server backend3.example.com weight=1;
    server backend4.example.com backup;
}

# Hash балансировка
upstream backend_hash {
    hash $request_uri consistent;
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;
}

Мониторинг здоровья серверов

upstream backend_with_health {
    server backend1.example.com max_fails=3 fail_timeout=30s;
    server backend2.example.com max_fails=3 fail_timeout=30s;
    server backend3.example.com max_fails=3 fail_timeout=30s down;
    server backend4.example.com backup;
}

Кэширование ответов

Настройка proxy_cache

# В http блоке
http {
    proxy_cache_path /var/cache/nginx/proxy
                     levels=1:2
                     keys_zone=app_cache:10m
                     max_size=1g
                     inactive=60m
                     use_temp_path=off;

    proxy_cache_key "$scheme$request_method$host$request_uri";
}

server {
    location /api/ {
        proxy_pass http://app_api/;

        # Кэширование
        proxy_cache app_cache;
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;
        proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
        proxy_cache_background_update on;
        proxy_cache_lock on;

        # Заголовки кэша
        add_header X-Cache-Status $upstream_cache_status;

        # Условия кэширования
        proxy_cache_bypass $http_pragma $http_authorization;
        proxy_no_cache $http_pragma $http_authorization;

        # Игнорируем заголовки от бэкенда
        proxy_ignore_headers Cache-Control Expires Set-Cookie;
    }

    # Очистка кэша (только для администраторов)
    location ~ /purge(/.*) {
        allow 127.0.0.1;
        deny all;
        proxy_cache_purge app_cache "$scheme$request_method$host$1";
    }
}

WebSocket проксирование

# Специальная конфигурация для WebSocket
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream websocket_backend {
    server 127.0.0.1:8080;
    server 127.0.0.1:8081;
}

server {
    listen 443 ssl http2;
    server_name ws.example.com;

    location /ws/ {
        proxy_pass http://websocket_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Важные настройки для WebSocket
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;
        proxy_connect_timeout 86400;
    }
}

Безопасность Reverse Proxy

Ограничение доступа к бэкенду

# Блокировка прямого доступа к портам приложений
server {
    listen 3000;
    server_name _;
    return 444;
}

# Или через iptables
# iptables -A INPUT -p tcp --dport 3000 -s 127.0.0.1 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3000 -j DROP

Фильтрация заголовков

location / {
    proxy_pass http://backend;

    # Удаляем чувствительные заголовки
    proxy_hide_header X-Powered-By;
    proxy_hide_header Server;

    # Добавляем безопасные заголовки
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Не передаем внутренние заголовки
    proxy_set_header Authorization "";
}

Мониторинг и логирование

Детальное логирование

log_format proxy_log '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" '
                    'upstream_addr=$upstream_addr '
                    'upstream_status=$upstream_status '
                    'upstream_response_time=$upstream_response_time '
                    'request_time=$request_time';

server {
    access_log /var/log/nginx/proxy.access.log proxy_log;

    location / {
        proxy_pass http://backend;

        # Добавляем заголовки для отладки
        add_header X-Upstream-Addr $upstream_addr;
        add_header X-Upstream-Status $upstream_status;
        add_header X-Upstream-Response-Time $upstream_response_time;
    }
}

Производительность

Для высоких нагрузок используйте keepalive соединения к бэкендам и настройте proxy_cache.

Безопасность

Всегда фильтруйте заголовки и ограничивайте прямой доступ к портам приложений.